Friday, May 15, 2009

HerbalMaxx -selling pills that make your digital camera automatically zoom-in

It has been a long time ago since I last posted any new research, but just to let you know that I haven't given up but are still trying to get rid of all the spam in my inbox, here is a little research about HerbalMaxx.



HerbalMaxx is one of those wonderful sites with before and after pictures of male penises where you can easily see that either there is zoomed in on the after pictures or otherwise the pill have actually made the entire person grow, not only "the little guy". So either HerbalMaxx are selling pills that make your digital camera automatically zoom in or they sell pills that make your entire body grow.

The HerbalMaxx site I was looking at recently was www.mascroes.com. The domain is registered at Xiamen eName Network Technology Co.,Ltd, who is chosen quite often by different spammers. That doesn't surprise much when we see the kind of totally crappy registration information they accept:



The site is/was hosted on the server with ip-address 110.52.8.253, which is located in China and belongs to China Unicom



On the server is/was hosted 120+ other sites which is definitely in the same category, US HealthCare Inc, some replica watch sites etc. SpamWiki do have lot of information about US HealthCare spamming, but I must say it confuses me a little that SpamWiki primarily talk about links to United States and Romania, because as I will show in a moment I quite clearly see a link to China. However it would definitely not be the first time that we see spammers from very different parts of the world working together, but there is also the possiblity that HerbalMaxx have just rented space on the server in China along with other non-related spammers.

Well enough about the information that can just be looked up using a good WHOIS service. Spammers have generally become better at validating input in their order forms, but HerbalMaxx is luckily an exception. So I played my old "show me who read the orders" game by injecting a callback to a server controlled by me in a fake order, and then I could a few hours after see the following in my log files



I have removed some of the non interesting data. Basically what can be seen is that some non-existing images is requested from my server, and the image name is the exact same as I placed in the fake order. The images are requested from the ip-address 116.22.27.74 and the referer is http://www.admin-zed.com/main.php?action=readOrder&order_id=95701 and http://www.admin-zed.com/main.php?action=updateStatus&currentStatus=0&order_id=95701. The order id match the order id I was shown on the order confirmation page when placing the fake order.

So without a doubt what we are seeing here is that someone is looking at my fake order placed on a HerbalMaxx site and then updating status afterwards, probably canceling the order because it was quite obviously fake.

The ip-address 116.22.27.74 is located in China and belongs to China Telecom (CHINANET Guangdong province network). There is of course a possibility that this ip-address is just a proxy and not the real address assigned to the spammer, but based on my past experience (Robert Soloway, The Atkinson Brothers and that company in India that I may not mention by name) then most spammers probably feel there is no reason to protect themselves by using proxies in this paticular situation of reading orders. I'm also not able to find any information pointing in the direction that this ip-address should be a proxy server.

The other very interesting part of the information that was logged was the referer. So apparently the spammer has a PHP application running on the address www.admin-zed.com that is used for administration of the orders. The registrant information for admin-zed.com is protected using the name of CSMJBS Enterprises.



And the site is hosted at the IP-address 207.226.173.179 which is located in United States and belongs to Beyond The Network America.



I of course ran the same test again later to make sure that my result was not just some kind of extreme coincidence. I placed a new fake order and the following showed up in my log files on the server



So basically this is 24 hours after the other registrations in my log file, as can be seen then the same ip-address is used, so it might even be a static address assigned to the spammer. Admin-zed.com is also used again for the order administration and this time the spammers also run some kind of search, probably to see if they can find similar weird orders in their database. Apparently they search all the way back to 1/1-2007 which could indicate that they are not all new in this business.

7 comments:

IKillSpammerz said...

Fantastic research as usual.

This indicates a cross section between what used to be SanCash / AffKing (which was of course related to GenBucks, which you're well-aware of) and what used to be referred to as the "Zed-Cash" affiliate program. (thus the "admin-zed" connection.)

The ordering urls for the domain you listed in this report echo precisely the same type used for former SanCash properties:

* ManXL
* Power Enlarge
* Express Herbal
* Prestige Replica
* Diamond Replica

It's identical. So you appear to have uncovered the latest iteration of this illegal affiliate program, which by law (and numerous court orders) is not supposed to be running.

Nice work. Make sure you let the FTC know. :)

SiL / IKS / concerned citizen
http://ikillspammers.blogspot.com/

Anonymous said...

Pssst. admin-zed.com is dead.
I was digging around though, and you may want to look into Topzedadmin.com. It's only a couple IPs away.

matt john said...

E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk.[1][2][3][4][5] "UCE" refers specifically to unsolicited commercial e-mail.

E-mail spam has steadily, even exponentially grown since the early 1990s to several billion messages a day. Spam has frustrated, confused, and annoyed e-mail users. The total volume of spam (over 100 billion emails per day as of April 2008[update]) has leveled off slightly in recent years, and is no longer growing exponentially. The amount received by most e-mail users has decreased, mostly because of better filtering. About 80% of all spam is sent by fewer than 200 spammers. Botnets, networks of virus-infected computers, are used to send about 80% of spam. Since the cost of the spam is borne mostly by the recipient,[6] it is effectively postage due advertising.

The legal status of spam varies from one jurisdiction to another. In the United States, spam was declared to be legal by the CAN-SPAM Act of 2003 provided the message adheres to certain specifications. ISPs have attempted to recover the cost of spam through lawsuits against spammers, although they have been mostly unsuccessful in collecting damages despite winning in court.[7][8]

Spammers collect e-mail addresses from chatrooms, websites, customer lists, newsgroups, and viruses which harvest users' address books, and are sold to other spammers. Much of spam is sent to invalid e-mail addresses. Spam averages 94% of all e-mail sent.[9]

In ccnp training, we have also learn about the spam;

Thanks

Tony said...

Unbelievable...spam comments in an anti-spam blog! Keyword spam, HTML spam, sheesh...well, brains was never spammers' strong suit!

I wanted to say THANK YOU FOR YOUR WORK! It is astounding and you are appreciated by more people than you will ever know. I hope you continue your efforts.

Anonymous said...

I am very impressed with the article I have just read. I wish the author of www.spaminmyinbox.com can continue to provide so much useful information and unforgettable experience to www.spaminmyinbox.com readers. There is not much to say except the following universal truth: The probability you will irrepairably stick your foot in your mouth is directly proportional to the attractiveness of the person you are trying to impress. I will be back.

Anonymous said...

Hi, as you may already noted I am new here.
Hope to receive some assistance from you if I will have any quesitons.
Thanks in advance and good luck! :)

Anonymous said...

Most people that earn money being an affiliate sign up with several Affiliate Programs. In fact, maybe you have to understand several before you find people who will make you the most money. One of the popular important areas to consider elect to promote products as an affiliate is to choose worthwhile products. If you wouldn't buy it or have any use for it chances are your customers won't either. Remember, even though you're selling over the web and not in person, whether or not you truly believe in the products you are promoting will show through in your marketing efforts. Choose products that you truly believe in if you plan to persuade others to buy them.

Regards,
[url=George (The IT Guy)[/url]